<?php

include_once "function_xml_basic.php";
include_once "function_xml_atom.php";
include_once "function_obj_analyse.php";

$root_path = "/MINI/SECURITY/POLICY/FILTERS";
$root_path_tmp = "/MINI/SECURITY/POLICY/FILTERS";
$iptables = "/usr/local/bin/iptables  ";

function GetXmlSecObjectByName($name)
{
	$ret_array = GetXmlSecObjectList();
    
        foreach ($ret_array as $ret)
        {   
                if ($ret['Name'] == $name)
                        return $ret;
        }   
        return NULL;

}

function GetXmlSecObjectByNumber($n)
{
	global $root_path_tmp;
	$query_string = $root_path_tmp. "/FILTER"."[". $n. "]";
	$key_array = array("Name", "InDev", "OutDev", "SrcAddr", "DstAddr", "Pro_L7", "Filter_Word","Mark_Set",
			   "Srv", "Time", "Target", "Enabled");
	$list = GetAttributList($query_string, $key_array);
	$list[0]["Filter_Word"] = base64_decode($list[0]["Filter_Word"]);
	$r = $list[0];
	return $r;

}
function GetXmlSecFilterList()
{
	global $root_path_tmp;
	$query_string = $root_path_tmp. "/FILTER";
	$key_array = array("Name", "InDev", "OutDev", "SrcAddr", "DstAddr", "Pro_L7", "Filter_Word", "Mark_Set",
			   "Srv", "Time", "Target", "Enabled");
	$list = GetAttributList($query_string, $key_array);
	for ($i = 0; $i < count($list); $i ++)
	{
		$list[$i]["Filter_Word"] = base64_decode($list[$i]["Filter_Word"]);
	}
	return $list;
}

function GetXmlNumberSecFilters()
{
	global $root_path;
	$query_string = $root_path. "/FILTER";
	return GetNumberOfNode($query_string);
}

function DelXmlSpecialOneSecObject($name)
{
	global $root_path;

	$query_string = $root_path. "/FILTER[@Name='". $name. "']";
	DelSpecialNode($query_string);
	ApplySecFilterRule();
}

function AppendXmlSecOneFilter($in_array)
{
	global $root_path;
        $node_name = "FILTER";
	$query_string = $root_path;
	$in_array['FilterType'] = "1";
	$in_array['Filter_Word'] = base64_encode($in_array['Filter_Word']);
	AppendAllAttrOfNode($query_string, $node_name, $in_array);
	ApplySecFilterRule();

}

function InsertXmlSecOneFilter($number, $in_array)
{
	global $root_path;
	$node_name = "FILTER";
	$query_string_from = $root_path. '/FILTER['. $number. ']';
	//print $query_string_from;
	InsertOneNode($query_string_from, $node_name, $in_array);
	ApplySecFilterRule();
}

function SetXmlSecOneFilter($in_array, $number)
{
	global $root_path;
	$in_array['FilterType'] = "1";
	$query_string = $root_path. "/FILTER[". $number. "]";
	$in_array['Filter_Word'] = base64_encode($in_array['Filter_Word']);
	EditAllAttrOfNode($query_string, $in_array);
	ApplySecFilterRule();
}

function MoveXmlOneSecFilter($from, $to)
{
	global $root_path;
	$query_string_from = $root_path.  "/FILTER". "[". $from. "]";
	$query_string_to= $root_path. "/FILTER". "[". $to. "]";
	$query_string_number= $root_path. "/FILTER";
	
	if ($from == $to)
		return SUCCESS;

	$number = GetXmlNumberSecFilters();
	if ($from > $number || $to > $number)
		return ERR_VALUE;

	if ($from > $to)
	{
		MoveFrontOneNode($query_string_from, $query_string_to);
	}
	else
	{
		$number = GetXmlNumberSecFilters();
		if ($to < $number)
		{
			$query_string_to= $root_path. "/FILTER". "[". ($to + 1 ). "]";
			MoveFrontOneNode($query_string_from, $query_string_to);
		}
		else
		{
			MoveEndOneNode($query_string_from, $query_string_to);
		}
	}
	ApplySecFilterRule();
	return SUCCESS;
}

function DelXmlAllSecFilters()
{
	global $root_path;
	$query_string = $root_path. "/FILTER";
	DelSpecialNode($query_string);
	FlushAllFilterRule();
}
/*
function GetXmlSecGroupByName($name)
{
	$ret_array = GetXmlSecGroupList();
    
        foreach ($ret_array as $ret)
        {   
                if ($ret['Name'] == $name)
                        return $ret;
        }   
        return NULL;
}
*/
/*function GetXmlSecGroupList()
{
	global $root_path;
	$query_string = $root_path. "/GROUP/OBJECT";
	$key_array = array('Name', 'ObjectList', 'ObjectType');
	return GetAttributList($query_string, $key_array);
}
*/
/*
function SetXmlSecGroup($in_array)
{
	global $root_path;
	$in_array['ObjectType'] = "1";
	$query_string = $root_path. "/GROUP/OBJECT[@Name='". $in_array['Name']. "']";
	EditAllAttrOfNode($query_string, $in_array);
}

function DelXmlSpecialOneSecGroup($name)
{
	global $root_path;

	$query_string = $root_path. "/GROUP/OBJECT[@Name='". $name. "']";
	DelSpecialNode($query_string);
}
*/
function FlushAllFilterRule()
{
	$iptables = "/usr/local/bin/iptables  ";
	$command = "";
	$command1 = $iptables. " -t nat -F USERFILTER; ";
	$command2 = $iptables. " -t mangle -F PREROUTING; ";
	$command = $command1. $command2;
	//print $command;
	$ret = shell_exec($command);
	return $ret;
}

function FlushProxyServerFilterRule()
{
	$iptables = "/usr/local/bin/iptables  ";
	$command = "";
	$command = $iptables. " -F PROXYSERVER;";
	//print $command;
	$ret = shell_exec($command);
	return $ret;
}

function ApplySecFilterRule()
{
	include_once "function_sys_license.php";
	$license = CheckSysLicenseForRule();
	if ($license == FALSE)
	{
		return ;
	}

	FlushAllFilterRule();
	FlushProxyServerFilterRule();
	ApplySecFilterRule_One();
	
	return ;
}
function ApplySecFilterRule_One()
{
	$iptables = "/usr/local/bin/iptables  ";
	
	$ret_list = GetXmlSecFilterList();
	
	//$key_array = array("Name", "InDev", "OutDev", "SrcAddr", "DstAddr", 
	//		   "Srv", "Time", "Target", "Enabled");
	$command = "";
	$ext_command = "";

	foreach ($ret_list as $ret)
	{
		
		//print $ret['Enabled'];
		if ($ret['Enabled'] == 0)
		{
			continue;
		}
		
		// ------ Table ------
		$table = " -t nat -A USERFILTER ";
		
		// ------ Active ------
		$value_xml = "";
		$value_xml = $ret['Target'];
		if ($value_xml == "ANTI_VIRUS")
		{
			if ($ret['Srv'] == "AntiVirus_POP3" || $ret['Srv'] == "AntiVirus_SMTP")
			{
				$operate = " -j REDIRECT --to-port 8110 ";
				$ext_command .= $iptables. " -A PROXYSERVER -p tcp --dport 8110 -j ACCEPT;";
			}
			if ($ret['Srv'] == "AntiVirus_HTTP")
			{
				$operate = " -j REDIRECT --to-port 8080 ";
				$ext_command .= $iptables. " -A PROXYSERVER -p tcp --dport 8080 -j ACCEPT;";
			}
			if ($ret['Srv'] == "AntiVirus_FTP")
			{
				$operate = " -j REDIRECT --to-port 2121 ";
				$ext_command .= $iptables. " -A PROXYSERVER -p tcp --dport 2121 -j ACCEPT;";
			}
		}
		else if ($value_xml == "FILTER")
		{
			$operate = " -m string --algo bm --string ". $ret['Filter_Word']. " ";
		}
		else if ($value_xml == "MARK")
		{
			$operate = " -j MARK --set-mark ". $ret['Mark_Set']. " ";
			$table = " -t mangle -A PREROUTING ";
		}
		else
			$operate = " -j ". $value_xml;

		// ------ In dev ------
		$value_xml = "";
		$value_xml = $ret['InDev'];
		$indev = ($value_xml == '' || $value_xml == 'All')?(" "):(" -i ". $value_xml. " ");

		// ------ Out dev ------
		$value_xml = "";
		$value_xml = $ret['OutDev'];
		$outdev = ($value_xml == ''|| $value_xml == 'All')?(" "):(" -o ". $value_xml. " ");
		
		// ------ Protocol for L7 ------
		$value_xml = "";
		$value_xml = $ret['Pro_L7'];
		if ($value_xml == '' || $value_xml == 'All')
		{
			$pro_l7 = "";
		}
		else
		{
			include_once "function_obj_protocol.php";
			$pro_tmp = GetXmlProtocolObjectByName($value_xml);
			$pro_l7 = " -m layer7 --l7proto ". $pro_tmp. " ";
		}
			
		// ------ Service ------
		$value_xml = "";
		$value_xml = $ret['Srv'];

		if ($value_xml == '' || $value_xml == 'All')
		{
			$srvtype = "";
		}
		else
		{	
			$src_srv_port = "";
			$dst_srv_port = "";
			$srv_ret_list = GetRealServiceValueByName($value_xml);
			foreach ($srv_ret_list as $srv_ret)
			{
				if ($srv_ret['Protocol'] == '')
					continue;
				
				if ($srv_ret['Protocol'] == '1')
				{
				 	$srvtype = " -p icmp ";
				}
				else if ($srv_ret['Protocol'] == '6' || $srv_ret['Protocol'] == '17' )
				{
					if ($srv_ret['SrcStartPort'] != "" || $srv_ret['SrcEndPort'] != "" )
					{
						$src_srv_port .= " --sport ";
						$src_srv_port .= $srv_ret['SrcStartPort'];	
						$src_srv_port .= ":";
						$src_srv_port .= $srv_ret['SrcEndPort'];
						$src_srv_port .= " ";
					}
					if ($srv_ret['DstStartPort'] != "" || $srv_ret['DstEndPort'] != "" )
					{
						$dst_srv_port .= " --dport ";
						$dst_srv_port .= $srv_ret['DstStartPort'];	
						$dst_srv_port .= ":";
						$dst_srv_port .= $srv_ret['DstEndPort'];
						$dst_srv_port .= " ";
					}
					if ($srv_ret['Protocol'] == '6')
					{
						$srvtype = " -p tcp ";
					}
					if ($srv_ret['Protocol'] == '17')
					{
						$srvtype = " -p udp ";
					}
					$srvtype .= $src_srv_port. $dst_srv_port;
				}
				else // Other integer !
				{
					$srvtype = " -p ". $srv_ret['Protocol']. " ";
				}
			}
		}
		
		// ------ Source address ------
		$value_xml = "";
		$value_xml = $ret['SrcAddr'];

		if ($value_xml == ''|| $value_xml == 'All')
		{
			$src_temp = array ("IpString" => " ", "IpType" => -1);
			$src_ret_list = array( $src_temp);
		}
		else
		{
			$src_ret_list = GetRealNetValueByName($value_xml);
		}
		
		// ------ Des address ------
		$value_xml = "";
		$value_xml = $ret['DstAddr'];
		
		if  ($value_xml == ''|| $value_xml == 'All')
		{
			$dst_temp = array ("IpString" => " ", "IpType" => -1);
			$dst_ret_list = array( $dst_temp);
		}
		else
		{
			$dst_ret_list = GetRealNetValueByName($value_xml);
		}
		
		foreach ($src_ret_list as $src_ret)
		{
			if ($src_ret["IpString"] == NULL)
			{
				continue;
			}
			
			if ($src_ret["IpType"] == 1 || $src_ret["IpType"] == 2)
			{
				$srcaddr = " -s ".$src_ret["IpString"];
			}
			else if ($src_ret["IpType"] == 0)
			{
				$srcaddr = " -m iprange --src-range ". $src_ret["IpString"];
			}
			else
			{
				$srcaddr = " ";
			}

			foreach ($dst_ret_list as $dst_ret)
			{
				if ($dst_ret["IpString"] == NULL)
				{
					continue;
				}
				
				if ($dst_ret["IpType"] == 1 || $dst_ret["IpType"] == 2)
				{
					$dstaddr = " -d ".$dst_ret["IpString"];
				}
				else if ($dst_ret["IpType"] == 0)
				{
					$dstaddr = " -m iprange --dst-range ". $dst_ret["IpString"];
				}
				else
				{
					$dstaddr = " ";
				}
				
				$command .= $iptables. $table. $indev. $srcaddr. $srvtype. $pro_l7. $outdev. $dstaddr. $operate. ";";
			}
		}
	}
	//print $command;
	$ret = shell_exec($command);
	$ret = shell_exec($ext_command);
	return $ret;
}

?>
